Attack Chain

1. Initial access to the system via exploitation of a vulnerability or compromised credentials.
2. Attacker gains a foothold on the IIS server.
3. The attacker executes appcmd.exe to modify IIS settings.
4. appcmd.exe is executed with parameters to disable HTTP logging, such as httplogging or dontlog:true.
5. The command modifies the IIS configuration, preventing HTTP request logs from being recorded.
6. The attacker performs malicious actions on the compromised server (e.g., web shell deployment, data theft).
7. With HTTP logging disabled, the attacker’s activities are not recorded in standard IIS logs, hindering forensic analysis.
8. The attacker maintains persistence and continues to exploit the compromised system.

Impact

Successful execution of this attack can lead to a significant reduction in visibility into attacker activities on IIS servers. The lack of HTTP logs hinders incident response efforts, making it difficult to identify the scope and nature of the compromise. This could lead to prolonged attacker presence, further data exfiltration, or deployment of malicious software. This technique is a common step to evade defenses.

Recommendation

• Deploy the Sigma rule Detect IIS HTTP Logging Disabled via AppCmd.exe to your SIEM and tune for your environment.
• Enable Sysmon process creation logging (Event ID 1) to capture command-line arguments of appcmd.exe.
• Monitor process execution events for appcmd.exe with command-line arguments related to httplogging or dontlog:true.
• Investigate any instances of appcmd.exe being executed by non-administrator accounts or unusual parent processes.
• Review IIS configuration regularly for any unauthorized changes to HTTP logging settings.